To: 


Of: 


Information Commissioner's Office 


ENFORCEMENT NOTICE 


THE DATA PROTECTION ACT 2018 
PART 6, SECTION 149 


DATED 6 JULY 2018 


AggregatelQ Data Services Ltd (“AIQ”) 


1200 Waterfront Centre 
200 Burrard Street 
P.O. Box 48600 
Vancouver BC V7X 1T2 
Canada 


AIQ is a controller as defined in Article 4(7) of the General Data 
Protection Regulation EU2016/679 (“GDPR”) and section 6 of the Data 
Protection Act 2018 (“DPA”). 


The provisions of the DPA and GDPR apply to the processing of 
personal data by AIQ (“the controller”) by virtue of section 207(3) of 
the DPA and Article 3(2)(b) of the GDPR. 


The Information Commissioner (“the Commissioner”) has observed 
with concern the application of techniques hitherto reserved for 
commercial behavioural advertising being applied to political 
campaigning, during recent elections and the EU referendum campaign 
in 2016. 


After initial preparatory evidence gathering, in May 2017 the 
Commissioner announced a formal investigation into the use of data 
analytics in political campaigning. The Commissioner is concerned that 
this has occurred without due legal or ethical consideration of the 
impacts to our democratic system. 


The Commissioner has been in contact with AIQ regarding the 
processing of personal data by AIQ on behalf of UK political 
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organisations, in particular Vote Leave, BeLeave, Veterans for Britain 
and the DUP Vote to Leave. 


As part of AIQ’s contract with these political organisations, AIQ have 
been provided with personal data including names and email addresses 
of UK individuals. This personal data was then used to target 
individuals with political advertising messages on social media. 


In correspondence with the Commissioner dated 31 May 2018, AIQ 
confirmed that personal data regarding UK individuals was still held by 
them. This data is stored on a code repository and has previously been 
subject to unauthorised access by a third party. 


The Commissioner has considered the controller’s compliance with the 
provisions of the GDPR in light of these matters. 


Article 5 (1)(a), (b) and (c) of the GDPR states that personal data shall 
be: 


(a) Processed lawfully, fairly and in a transparent manner in relation 
to the data subject (‘lawfulness, fairness and transparency’). 


(b) Collected for specified, explicit and legitimate purposes and not 
further processed in a manner that is incompatible with those 
purposes; further processing for archiving purposes in the public 
interest, scientific or historical research purposes of statistical 
purposes shall, in accordance with Article 89 (1), not be 
considered to be incompatible with the initial purposes (‘purpose 
limitation’). 


(c) Adequate, relevant and limited to what is necessary in relation to 
the purposes for which they are processed (‘data minimisation’). 


In addition, the processing of personal data will only be lawful if one of 
the six grounds for processing in Article 6 of the GDPR applies. 


Article 14 of the GDPR specifies the information that a controller must 
provide to data subjects about the processing of their data where the 
controller has not obtained that data from those data subjects. 
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The Commissioner is satisfied that the controller has failed to comply 
with Articles 5 (1)(a)-(c) and Article 6 of the GDPR. This is because the 
controller has processed personal data in a way that the data subjects 
were not aware of, for purposes which they would not have expected, 
and without a lawful basis for that processing. Furthermore the 
processing was incompatible with the purposes for which the data was 
originally collected. AIQ has also failed to comply with Article 14 of the 
GDPR in that it has not, to the Commissioner’s knowledge, provided 
data subjects with the information set out in Articles 14(1) and (2), 
and none of the exceptions set out in Article 14(5) apply. 


The Commissioner has considered, as she is required to do under 
section 150(2) of the DPA when deciding whether to serve an 
Enforcement Notice, whether the failure has caused or is likely to cause 
any person damage or distress. The Commissioner takes the view that 
damage or distress is likely as a result of data subjects being denied 
the opportunity of properly understanding what personal data may be 
processed about them by the controller, or being able to effectively 
exercise the various other rights in respect of that data afforded to a 
data subject. 


In view of the above, and in exercise of her powers under section 
149(2)(a) and (b) of the DPA, the Commissioner requires the controller 
to take the steps specified in Annex 1 within 30 days of the date of this 
Notice. 


Consequences of failing to comply with this Enforcement Notice 
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If a person fails to comply with an Enforcement Notice the 
Commissioner may serve a penalty notice on that person under section 
155(1)(b) of the DPA requiring payment of an amount up to 20 million 
Euros, or 4% of an undertaking’s total annual worldwide turnover 
whichever is the higher. 


Right of Appeal 


16. 


By virtue of section 162(1)(c) of the DPA, there is a right of appeal 
against this Notice to the First-tier Tribunal (Information Rights). If an 
appeal is brought this Notice need not be complied with pending 
determination or withdrawal of that appeal. Information about the 
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appeals process may be obtained from: 


First-tier Tribunal (Information Rights) 
GRC & GRP Tribunals 

PO Box 9300 

Leicester 

LE1 8DJ 


Tel: 0300 1234504 

Fax: 0870 739 5836 

Email: GRC@hmcts.gsi.gov.uk 

Website: www.justice.gov.uk/tribunals/general-regulatory-chamber 


17. Any Notice of Appeal should be served on the Tribunal within 28 
calendar days of the date on which this Notice is sent. 


Signed 


Elizabeth Denham 

Information Commissioner 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
TERMS OF THE ENFORCEMENT NOTICE 


AIQ shall within 30 days of the date of this notice: 


Cease processing any personal data of UK or EU citizens obtained from 
UK political organisations or otherwise for the purposes of data 
analytics, political campaigning or any other advertising purposes. 


